A small notice/entry on the Information Commissioner’s Office site yesterday:
An Undertaking to comply with the seventh data protection principle has been signed by Eastern and Coastal Kent Primary Care Trust. This follows the loss of a CD containing personal data during a move of office premises.
View the Eastern and Coastal Kent Primary Care Trust undertaking
That’s all they wrote. No press release or anything else. But looking at the undertaking, this involved a lot of people’s data:
The Information Commissioner (the “Commissioner”) was provided with a report by the data controller informing that a filing cabinet containing personal data had been sent to landfill during a move of office premises. The filing cabinet contained a CD holding the address, date of birth, NHS number and GP practice code of approximately 1.6 million individuals.
When planning the office move the security of the CD was considered and it was deemed appropriate to store it in the filing cabinet concerned. Although communication was established with the Project Manager co-ordinating the move, the existence of the CD was not communicated leading to the disposal of the filing cabinet. It was also found that the team concerned were not up to date with their Information Governance training and had not accessed relevant guidance on how to dispose of the CD. The data controller did take steps to attempt to retrieve the filing cabinet once discovered missing, however the cabinet had already gone to landfill and was unable to be recovered. It has been noted that the data controller has taken substantial remedial measures to prevent the reoccurrence of such an incident.
I’d have thought a data loss affecting 1.6 million people would merit at least a press release. Silly me.